We set out the requirements of MiFID II and GDPR and consider how regulated firms can address both requirements in their use and retention of customer data.
The scope of MiFID II and GDPR
MiFID II came into force on 3 January 2018. MiFID firms and those other firms caught under the gold-plated provisions of the FCA’s implementation of MiFID II will be required to comply with the new rules, which include best execution and client order handling requirements and an enhanced data retention regime (including requirements to record electronic communications and telephone conversations).
GDPR comes into force on 25 May 2018. Under GDPR, individuals will be provided with enhanced rights and organisations will continue to be restricted as to what they can do with the data they use and hold relating to customers. MiFID regulated firms must be accountable for the personal data they hold, and consider the purposes and period for which that data is retained. There are significant fines for non-compliance: up to €20 million or 4% of an organisation’s global turnover, whichever is higher.
The purpose of MiFID II is clear: to provide a strengthened financial services regulatory framework with improved governance and transparency requirements for the benefit of investors. GDPR’s purpose is to benefit individuals (including those same investors) by giving them greater control over the personal data relating to them.
Although the aims of both regulatory regimes are consistent with the trend since 2008 towards increased regulation (and, as a corollary, greater trust and security) in financial services markets, firms are likely to be left facing a compliance headache as they try to balance the inherent contradictions between protecting investors under MiFID II by retaining more information about them and their activities and acting in an appropriate manner in respect of those investors’ data under GDPR.
Inevitably, firms looking to ensure their processes and procedures comply with these two regimes simultaneously will need to act, where possible, in a manner that is proportionate to each. With that in mind, we set out below some of the areas of overlap between the requirements of MiFID II and GDPR and consider how regulated firms might look to address those requirements in a coherent, considered and consistent manner.
This article is split into four sections:
How to achieve MiFID II data compliance
In the context of retention, processing and reporting of data the MiFID II rules include the following requirements:
1. Client relationship
A firm, in relation to its MiFID business, must establish a record that includes the document or documents agreed between it and a client which sets out the respective rights and obligations of the parties and which must be retained for at least the duration of their relationship.
In addition, in a portfolio management context firms need to provide a suitability report under COBS 9.4, which must explain why the firm has concluded that a recommended transaction is suitable for the client. Preparation of these suitability reports will require firms to collect and process client information, and the reports must be retained for a period of five years in accordance with COBS 9A.4.1. Given that these reports are likely to include personal information, such as the client’s age and financial position (amongst other data), GDPR will also be relevant in this context.
2. Client order handling
Where a MiFID firm executes client orders and makes decisions to enter into transactions, it is required to keep records for at least five years immediately after receiving a client order or making a decision to deal in relation to every initial order received and every initial decision to deal. In each case COBS 11.5A sets out certain prescribed data that must be retained by the firm from a client.
Investment firms are also required to keep records of:
- the content and timing of instructions received from clients
- allocation decisions taken for each operation in relation to underwriting or placing of orders so as to retain a complete audit trail between the movements registered in clients' accounts and the instructions received by and decisions taken by the investment firm (COBS 11A.1.9EU).
These records must be retained for five years and are highly likely to involve the processing and storage of metadata relating to client dealings which contain client personal data. For other entities, such as small authorised UK AIFMs and residual CIS operators, similar requirements are set out in COBS 18 Annex 2.
Where a firm in relation to its MiFID business has carried out an order on behalf of a client other than for portfolio management, that firm is required to promptly provide the client with essential information concerning the execution of that order and will need to retain a copy of that confirmation for at least five years.
Meanwhile, investment firms which carry on portfolio management for clients are required to provide clients with periodic statements of their portfolio management activities carried out on behalf of that client, and the firm is required to retain a copy of those statements for at least five years from the date of despatch of the statement to clients.
3. Client reporting
Where a firm carries out an order on behalf of a client (other than under a discretionary mandate), that firm must provide an “occasional report” (under COBS 16A) setting out details of the executed trade, which must include:
- the name or other designation of the client (e.g. a client ID such as an Legal Entity Identifier)
- the time and date of the trade
- the type of order
- the unit price
- the total consideration paid by the client.
Firms must also issue periodic statements to clients, which include the name of the client and a statement of the contents and the valuation of the client’s portfolio, including details of each financial instrument held, its market (or fair) value, the cash balance at the beginning and end of the period and the portfolio value at the beginning and end of the reported period. Firms must retain these reports for a period of five years following the date of despatch to the client.
COBS 18 requires that firms retain information in respect of every decision to deal that is taken when providing a portfolio management service. This information must include substantially similar details as described above in relation to occasional reporting and periodic statements but must also include any specific instructions received from the client that specify how the order must be carried out.
4. Safe custody assets (including granting of security)
CASS 6.3.6AR sets out a limited number of circumstances in which a security interest, lien or right of set-off may be granted over a client’s safe custody assets such that the grantee is able to dispose of the client’s safe custody assets in order to recover debts. Where such circumstances arise and security is granted then the firm must record the details of the arrangements in both client contracts and the firm's own books and records to clarify the ownership status of such safe custody assets.
The rules on granting security are additional to the requirements on firms to keep such records and accounts as are necessary to enable the firm at any time and without undue delay to distinguish safe custody assets held for one client from those held for any other client and from the firm's own assets. Such records must be retained for a period of five years from the later of the date they were created or the date they were last modified.
5. Client money
Similar records to those required for clients’ safe custody assets must be retained by firms in relation to any client money that is held on behalf of clients. These records must be sufficient to determine the amount of client money the firm holds for each of its clients and to show and explain the firm's transactions and commitments for the client money it holds. These records must be retained for a period of five years from the later of the date they were created or the date they were last modified.
DISP 1.1A.37 requires investment firms to keep a record of the “MiFID II complaints” received and the measures taken for their resolution. To the extent that the facts relevant to such complaints include the need to disclose personal data such records will also need to comply with GDPR. This will be significant in the event that such data has to be provided to a competent authority (such as the FCA) and, where applicable under national law, to an alternative dispute resolution entity.
These requirements are supplemented by the general rules on record keeping (SYSC 9.1.1) which oblige regulated firms to arrange for orderly records to be kept of their business and internal organisation, including all services and transactions undertaken, which must be sufficient to enable the FCA to monitor the firm's compliance with applicable regulatory requirements. This rule is curbed slightly for "common platform firms" but only so as to disapply the “business and internal organisation” record retention requirement and to include a specific obligation that records relating to the common platform firms’ MiFID business be retained for at least five years.
The FCA’s general guidance on record keeping (SYSC 9.1.4) also provides that all records required to be kept in accordance with the FCA Handbook should be capable of being reproduced on paper in the English language.
Ensuring GDPR compliance
1. Lawfully processing personal data
To lawfully process personal data under GDPR organisations need to comply with certain data protection principles and establish a legal basis for processing personal data. For example, an authorised firm's processing of data must be fair, lawful and transparent; the data must only be used for specific purposes; and data must be kept accurate and protected from loss or destruction. The new principle of accountability under GDPR requires organisations not only to comply with the legislation but also to demonstrate their compliance.
We anticipate that the legal bases for processing that most regulated firms will use to justify their processing of personal data will be:
- where the firm has obtained consent from the individual
- to allow the firm to perform its obligations under a contract with that person
- to comply with the firm’s legal obligations
- to fulfil its necessary legitimate interests.
2. Rights of data subjects
GDPR grants individuals various rights in respect of their data. Regulated firms will need to ensure that they can address the exercise of such rights by their clients by updating their internal policies and procedures, developing response templates, training staff and testing their ability to isolate information relating to a particular client.
As an example, regulated firms will need to continue to be responsive to subject access requests from clients. GDPR has reduced the time frame for response to one month, and has removed the requirement for the individual to pay a fee (unless a request requires the firm to undertake extensive work). Regulated firms will need to be sure that their systems can cope with requests to locate and provide such information.
GDPR also provides data subjects with a right to erasure. This means that data subjects can request that the regulated firms restrict or stop the processing of their personal data. However, these requests should be considered in conjunction with the organisation’s legal requirement to retain records under MiFID II. If a regulated firm has a legal obligation under MiFID II to hold records of processing activities for five years then this would take precedence over the data subject's request for erasure of those records before that five year period has expired.
The right to portability is a new concept under GDPR but from a practical perspective should not be entirely new to regulated entities. Essentially, this means that a data subject can request that all of their data be moved to a new service provider (e.g. an alternative fund provider) and which is typically reflected in existing fund managers’ agreements by requiring the existing provider to use all reasonable endeavours to assist the client in transferring to a new provider, including by providing necessary information. The key regulatory requirement in this context is that firms must comply with such a request within one month.
3. Data export
GDPR places restrictions on transferring data outside of the EEA. Transfers to a third country or international organisation may only take place if the data being transferred is subject to an adequate level of protection. There are various means of ensuring that appropriate safeguards are in place. Transfers could be governed by:
- the model clauses that have been approved by the European Commission
- a code of conduct
- other certified mechanisms such as binding contractual rules.
Multi-national financial organisations should carry out data mapping exercises to work out where personal data is held and transferred, and ensure that any international transfers take place in accordance with one of the safeguards referred to above.
4. Breach notification
All regulated firms will be impacted by the changes to breach notifications and must maintain an internal register of data breaches. Under GDPR, any breach that is considered to be a risk to the rights and freedoms of individuals must be reported to the Information Commissioner’s Office (or the equivalent national data protection authority) within 72 hours.
If the personal data affected by the breach is not protected by appropriate technical and organisational procedures which render the data intelligible to any person who is not authorised to access it (e.g. encryption) then the data subjects affected will also have to be notified. As such regulated funds will need to ensure that they have policies and procedures in place to identify incidents and appropriately deal with required breach notifications within the time limits.
5. Reviewing supplier contracts
GDPR requires, and stipulates certain compulsory provisions of, a binding contract to be put in place governing the relationship between data controllers and data processors such that both understand their responsibilities and liabilities with respect to customer data.
Processors must be able to sufficiently guarantee that they will implement appropriate technical and organisational measures to satisfy GDPR’s requirements. Firms should now audit any agreements they have with their suppliers to check that they are GDPR-compliant, for example, there must be a duty for suppliers to cooperate and obligations must be placed on suppliers to proactively notify the data controller (i.e. the authorised firm) of any breaches.
6. Appointing a data protection officer
Some regulated firms will be required to appoint a data protection officer (DPO) who will be responsible for ensuring compliance with GDPR. Organisations that carry out large scale systematic monitoring of individuals (for example, tracking online behaviour) must appoint a DPO. This may be relevant to firms who track consumer behaviour by monitoring particular investments and then suggest other opportunities based on such data.
GDPR also provides national data protection authorities with a number of powerful remedies for sanctioning those organisations in breach of the legislation. For example, GDPR grants data protection authorities the power to indefinitely restrict processing of personal data by an organisation. If enforced, this would have a catastrophic effect on the ability of most regulated entities to continue providing services to clients.
How will regulated firms be required to change?
It is understandable that the two regimes may appear to conflict: MiFID II requiring further enhanced monitoring and GDPR giving individuals more rights in respect of their data. However, the two can begin to be reconciled by considering the requirement to be transparent and inform individuals about how their data is collected, used and kept safe in the context of the provision of financial services.
Drafting and maintaining new policies which are sufficiently compliant with both regimes will require continuous consideration. For example, MiFID II may impose a five year requirement on record retention but GDPR requires authorised firms to consider purpose limitation (i.e. when does holding data become incompatible with the purpose for which it was obtained?) and accuracy of the data that is held, and also to address customers’ requests for erasure or porting of data.
In order to be able to demonstrate GDPR compliance, regulated firms will need to ensure that they have tested their systems and processes, and newly-implemented policies and procedures, to ensure that they can comply with enhanced data subject rights and the new obligations under GDPR (for example, relating to breach reporting).
Ensuring compliance with both regimes is not only about policy and procedural changes. In larger organisations teams that may not have previously worked together will now be required to collaborate on a regular basis to ensure that collection and processing of data and the retention of records is conducted in a manner that is compliant with both GDPR and MiFID II.
Firms should also be wary of outsourcing any client monitoring or recording functions. These will require prescriptive data processing agreements and, in addition, the European Securities and Markets Authority has opined in its MiFID II Q&A that for the purposes of the outsourcing rules, taping will be considered a critical or important operational function and so will require compliance with SYSC 8.
Suggested action points for regulated firms
- Map your current and anticipated client data flows. Do you know where your data is stored or if it is transferred outside of the EEA? Who in your organisation has access to the data? Where can they access it from?
- Consider conducting a data audit. Are you holding inaccurate or excessive amounts of data? For what purpose are you holding it? Can it be minimised? Is it secure? Is it backed up?
- Review supplier contracts. Do they contain the prescriptive requirements that GDPR requires data processing agreements to contain? Consider whether any outsourcing will be considered by the FCA to be "critical outsourcing" and therefore necessitate compliance with SYSC requirements.
- Test your systems and processes. If the firm receives a subject access request, will your staff understand what it is (i.e. have you provided suitable training)? Can you isolate personal data for a particular client? Can you respond within a month? Have you created response templates?
- Communicate updated policies and procedures. Teams may need to be shuffled to reflect different working arrangements. Staff should be trained to understand what a data breach is and whether it would need to be reported, within the time limits, to the data protection authorities or the data subjects. Individuals will need to be informed of how their information is processed, in compliance with the new requirements.
- Continuously review and update policies. We don’t expect compliance between the two regimes to be easy or completed early on.
- Consider compiling a register of documents containing client data and the length of time those documents have been retained for comparison against the regulatory record-keeping timeframes.